I think the answer you accepted is not a strict answer to your question as it appears in the title, but rather to "How does merged mining works". Can you edit your title to reflect this?
–
ripper234Aug 31 '11 at 12:53

4 Answers
4

Merged mining allows a miner to mine for more than one block chain at the same time. The benefit is that every hash the miner does contributes to the total hash rate of both (all) currencies, and as a result they are all more secure.

Starting with a high-level explanation: The miner (or mining controller in the case of pooled mining) actually builds a block for both hash chains in such a way that the same hash calculation secures both blocks. Work units based on this block are then assigned to miners. If a miner solves a block (at the difficulty level of either or both block chains) the block is re-assembled with the completed proof of work and submitted to the correct block chain (or both blocks are separately reassembled and each submitted to the corresponding network if it met both of their difficulty requirements).

The only confusing detail is how the same hash can secure both block chains. I'll use the example of Bitcoin and Namecoin, where Namecoin supports merged mining and Bitcoin doesn't:

First, the miner must assemble a transaction set for both block chains. He then assembles the final Namecoin block and hashes it. He then creates a transaction containing this hash that is valid in the Bitcoin chain and inserts it in the Bitcoin transaction set at the tip of the tree. He then assembles the final Bitcoin header with this transaction in it and sends out the work units.

If a miner solves the hash at the Bitcoin difficulty level, the Bitcoin block is assembled and sent to the Bitcoin network. The Namecoin hash does nothing and the Bitcoin network ignores it.

If a miner solves the hash at the Namecoin difficulty level, the Namecoin block is assembled. It includes the Namecoin transaction set, the Namecoin block header, the Bitcoin block header, and the hash of the rest of the transactions in the Bitcoin block. This entire "mess" is then submitted to the Namecoin system. The Namecoin system, supporting merged mining, accepts this as proof of work because it contains work that must have been done after the block header and Namecoin transaction set was built. (Because you can't build the Bitcoin transaction set containing that hash, and therefore the Bitcoin header that secures it, without that information. So it proves the work was done.)

Note that a miner can solve both chains simultaneously, and they will if they solve at the higher difficulty. One block can "win" in the public chain and not the other. They are fully independent -- only the mining is merged.

Three key points to remember:

The Bitcoin chain doesn't get junked up with Namecoin stuff due to merged mining. At most, one tiny hash is inserted in the transaction tree.

The two hash chains remain fully independent. The "Bitcoin stuff" that goes in the Namecoin tree is basically ignored and only used to validate the proof of work. (It will bloat the Namecoin chain a bit as it means some blocks will have an extra header and an extra hash.)

Lastly, no special support is needed from Bitcoin.

The benefit for Namecoin is obvious. A lot of Bitcoin miners will probably do merged mining, since it costs them basically nothing and gives them a greater return than mining Bitcoins alone. As a result, their block generation timing will be more predictable and their transactions more secure against a 51% attack.

"He then creates a transaction containing this hash that is valid in the Bitcoin chain and inserts it in the Bitcoin transaction set at the tip of the tree." - just to be clear, one creates a bogus transaction for 0BTC that has the exact same hash as Namecoin block and enters it as the last transaction in the merkle tree that is hashed? Doesn't generating the bogus transaction require a lot of resources if it has to match the hash exactly? It it is just inserted without being generated, doesn't this make the block invalid, as it contains an invalid transaction?
–
ThePiachuNov 2 '11 at 21:37

2

@ThePiachu: It doesn't have to "match" the hash, it just has to contain the hash.
–
David SchwartzNov 2 '11 at 22:07

2

So the key to understanding this is that Namecoin has explicit support for merged mining. With two chains not supporting it, this would be impossible. That was what I was struggling with, thanks! BTW, a reference where Namecoin's merged mining support is documented would be great!
–
Steven RooseMay 15 '13 at 8:06

Where do the Namecoin transactions appear in the Bitcoin block? Are they contained in the coinbase of the miner's subsidy transaction? Can you point to Tx on the blockchain and identify it as a Namecoin block hash?
–
pinheadJan 29 at 20:05

@pinhead They don't. Only the hash of the Namecoin block appears in the Bitcoin block.
–
David SchwartzJan 29 at 20:41

Basically the idea is that you assemble a Namecoin block and hash it, and then insert that hash into a Bitcoin block. Now when you solve the Bitcoin block at a difficulty level greater to or equal to the Namecoin difficulty level, it will be proof that that amount of work has been done for the Namecoin block. The Namecoin protocol has been altered to accept a Bitcoin block (solved at or above the Namecoin difficulty level) containing a hash of a Namecoin block as proof of work for the Namecoin block. The Bitcoin block will only be acceptable to the Bitcoin network if it is at the difficulty of the Bitcoin network.

The Bitcoin block chain gets a single extra hash when a merged mining block is accepted, and the Namecoin block chain gets a little bit more (because it includes the Bitcoin block) when a merged mining block is accepted. However, because of the Merkle Tree, the entire Bitcoin block doesn’t need to be included in the Namecoin tree, just the top level hashes (so the extra bloat to the Namecoin chain is not a big problem).

Since you make more money mining both Namecoins and Bitcoins miners will eventually all do merged mining, and the difficulty level for all block chains will eventually be the same.

Furthermore, the economic incentive to mine will be the combined economic incentive of all networks, making all networks more secure. Of course this allows competing networks (with different inflation rates) to quickly become secure. This subjects Bitcoin to more competition.

Ultimately the value of Bitcoin is a reflection of the need for Bitcoins to make exchanges. The more people using Bitcoin to make purchases, the more demand there is for Bitcoins, and the higher the price of Bitcoins goes. (Speculation also raises the price, but long term speculation is essentially a bet that the transactional demand for Bitcoin will increase in the future.) The higher the price, the higher the incentive to mine.

At any given time there is a certain amount of demand for a Bitcoin like currency to make transactions. That need doesn’t increase with more competition. That means that the transactional demand for Bitcoin is really the same as the transactional demand for all substantially similar forms of payment. As more currencies are competing to fill the same demand they actually reduce the demand for the other currencies as they become more widely used.

This means that ultimately, to the extent that currencies are interchangeable to end users, merged mining does not increase the overall security of the networks. The demand for currencies drives the price (and thus the value of the reward). Increased demand for any given currency results in decreased demand for others, lowering the incentive to mine for the other currencies. The total incentive is a function of total demand for all Bitcoin like currencies.

Except now competing currencies can market themselves as “as secure as Bitcoin but with lower transaction fees.” In other words there is a race to the bottom among competing currencies to offer the lowest transaction fees, because lowering the transaction fee doesn’t hurt the security of the network in comparison to the other merged mining networks. Users, following their own self interest, will adopt the currency with the lowest transaction fees as long as it has the same security of the competitors.

This will increase the price of the currency with the lowest transaction fee (because demand for the currency is higher), and decrease the price of the currencies with higher transactions fees (because demand for those currencies is dropping as it is being filled by demand for the competing currency). Because the currencies with the higher transaction fees were the ones generating the incentive to mine, overall incentive to mine will diminish. As long as a currency’s mining is merged with the freeloading currency, it will be powerless to increase incentives by imposing mandatory transaction fees.

The result will be a decrease in mining incentive, a decrease in mining, and ultimately all networks that allow merged mining will become insecure.

One slight correction--not all Bitcoin-like currencies will serve the same demand, and Namecoin is an excellent example of that. Demand for Namecoin is highly based on its alternative DNS system, which Bitcoin does not provide.
–
eMansipaterSep 28 '11 at 17:05

Very true. To the extent that different Bitcoin-like currencies are serving truly different demands, merged mining might increase the overall security. But, to the extent that merged mining enables a transaction fee race to the bottom for each different type of currency, it will destroy overall security of the block chain. (Perhaps there is a way to control which currencies can piggy back on Bitcoin mining? If so, Bitcoin could only invite currencies that contributed some minimum incentive for miners.)
–
Isaac KriegmanSep 28 '11 at 19:03

2

"Basically the idea is that you assemble a Namecoin block and hash it, and then insert that hash into a Bitcoin block." - where does one insert the Namecoin block hash exactly?
–
ThePiachuApr 6 '12 at 13:11

Issac, I'm also interested in where the hash goes and if any examples exist on Blockchain .info. Thanks @ThePiachu
–
LamonteCristoDec 7 '12 at 13:30

The result will be a decrease in mining incentive, a decrease in mining, and ultimately all networks that allow merged mining will become insecure.

and I see some other viable outcomes.
1) a situation could arise where miners derive there income from the most popular Sidechain as Bitcoins bloc rewards diminish over time. As there is minimal financial loss if miners collude to 51% attack the Bitcoin forcing incredibly high fees, or pause transactions.

or

2) merged mining may not become insecure, it may prove to still be profitable in the situation where the financial growth (adoption happens in new Sidechains) this would be the equivalent of monetary inflation, users would stay on the side chain as it has more hashing power protecting it motivated by profit, and abandon Bitcoin as it dosn't have the same incentive structure to motivate hashing protection (users may even abandon Bitcoin's 21 million limit in the worst case) as the adoption of the new chain with growth could be managed according to Monetary policies today.)

one thing to remember in merged mining is that the block hash of the auxiliary chain (eg namecoin) does not need to be below the aux-chain threshold. rather, it is the block hash of the parent (eg bitcoin) which must be below the aux-chain (namecoin) threshold. for example, check out what happened to namecoin when merged mining was introduced in block 19200:

this did not happen because of a difficulty change in namecoin, and it also did not happen because the namecoin difficulty became irrelevant due to merged mining. rather it happened because the criteria for evaluating valid blocks changed due to merged mining.

extra fields were added to the namecoin header and these enable us to verify that the block validates to be below the namecoin threshold. specifically, the parent chain's block hash is now included in the namecoin block header. it is this block hash which is mined in the parent chain and so we can simply observe this block hash and grab any result that is lower than the namecoin threshold.

the reason this parent chain block hash is at all relevant to the auxiliary chain is simply because the block hash of the auxiliary chain is included in the coinbase txin script in the parent chain. this coinbase txin can take any arbitrary value - it need not produce a valid script. so it is a good place to put the parent chain block hash.